PageSpeed insights recommends a nonce value for safe CSP

Hi – Since the Content Security Policy directives for sript-src are somehow contradictory (unsafe-inline) and google PageSpeed insights recommends to add a nonce value, i wonder if it is possible to add a nonce value for the optimized and aggregated scripts?
I tried the following:

function add_nonce($tag, $handle, $src) {
    $nonce_value = wp_create_nonce('my__script__nonce');
    return "<script defer='defer' nonce='".$nonce_value."' src='".$src."'></script>";//Usually the value in $tag variable looks similar to this script tag but without the async and defer
add_filter('script_loader_tag', 'add_nonce', 10, 2);

This works, but it prevents the aggregation of all scripts.
Is there a valid way to add a nonce attribute to aggregated script?
Is there a filter to capture the moment when aggregation happens and inject a nonce attribute?
Thanks for a feedback.
regards – theo

  • This topic was modified 9 hours, 24 minutes ago by timholz.


This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer